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(54) Title: 



METHOD FOR BLOCKING DENIAL OF SERVICE AND ADDRESS SPOOFING ATTACKS ON A PRIVATE NETWORK 



(57) Abstract 

A method is provided for blocking attacks on a private 
network (12). The method is implemented by a routing device 
(10) interconnecting the private network (12) to a public network 
(14). The method includes analyzing an incoming data packet from 
the public network (14). The incoming data packet is. then matched 
against known patterns where the known patterns are associated with 
known forms of attack on the private network (12). A source of the 
data packet is then identified as malicious or non-malicious based 
upon the matching. In one embodiment, one of the known forms of 
attack is a denial of service attack and an associated known pattern 
in unacknowledged data packets. In another embodiment, one of the 
known forms of attack is an address spoofing attack and an associated 
known pattern is a data packet having a source address matching an 
internal address of the private network (12). 
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1 

METHOD FOR BLOCKING DENIAL OF SERVICE AND 
ADDRESS SPOOFING ATTACKS ON A PRIVATE NETWORK 

TECHNICAL FIELD OF THE INVENTION 

This invention relates in general to communication 
systems, and more particularly to a method for blocking 
denial of service and address spoofing attacks on a 
5 private network. 

ACKCTRQTTNO OF THE INVENTION 

Corporate and other private networks often provide 
external access outward. and inward through Internet 
10 gateways, firewalls or other routing devices. It is 

important for these routing devices to defend the private 
network against attackers from the outside as well as to 
■- allow- access -to the -private network by authorized ^iisers . 
However there are, v iiumerous r , forms . pf t v attack on . 

1.5 conventional, routing device that can incapacitate the 

devices and interfere with an associated private network. 
The problem of keeping unauthorized, perspns from 
* f accessing data is-La large problem for corporate and other 
information. service management. Routing devices, such as 
20 gateways, firewalls and network routers lack important 

safeguards to block or prevent attacks.- In particular, .; 
the number of denial service attacks have risen 
dramatically in recent years. Further, IP spoofing 
incidents occur with increasing frequency. 
25 a denial of service attack consists of repeatedly 

sending requests for connections to different hosts 
through and/or behind the routing .device. Typically, the 
host will wait for acknowledgment from the requester. 
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: Beca*use J a -"Host can -"drily- hancLIe :: a- : f init'e-' number 1 of " 
requests ' ( for example , ; i- : £o' ri;" where-' n ctepen&S" on : - the 
- ' resources '-available to' the' -host ) , the " attacker can crash 
• ■ ' or.-"f lood" v a v host ' : with ; requests • to ; th'e /: point of " : - 
5 * disrupting ~ne^ ; (host /server/port j to'users. 

• -/-^Another form "of at'tack'-'is address spoof ing 7 which can 

be-used-by unauthorised .-third - parties" tb~~gain ; ' access to a 
private -network . This ' -attack'involves the attacker 
identifying a valid internal ' network address within the 
10 -"private "netwdrk . The* attacker then- requests access to 
the pr ivat e network 'through - 1 he " rout ing ~ device "by* 
"spoofing that ' internal ^network address . : "" Conventional 
routing -devices '^ typically are '-'not- sophisticated" enough to 
- ■ determine that such a request should be denied ■ (i . e . , 
15 because an external request can not originate' from an 

internal address) and will ; allow - access ' to the attacker. 

Address - spoof ing attacks can be : carried 1 - out against 
various- type^ of networks and "network 1 - protocols - 'such as 
IPX/SPX, MAC layer, Netbiosv and" IP. ' " 
20 - - - It is therefore advantageous to' provide" facilities 
within a routing device^ that block denial^ of" service; 
address spoofing and other attack^ on an' associated 
private 'network'. s *~ ~ ;■ ' J 7- - : ■ - ~ r - - - **' " - 

25 SUMMARY OF THE INVENTION : J ' - "* ^ - — 

In accordance with the present invention, a method 
for blocking denial of -service and" address* spoof ing 
attacks on a private network is disclbsed that provides 
-significant -'advantages over"eonvent ional network routing 
30 devices".'' v.- 

'According- to ' one aspect' of-" the present invention, 
the method is - implemented by ' a ■ routing' device " 
interconnecting the private' network to a public network. 
The method includes" analyzing an incoming- data : packet 
3 5 from the public network. The incoming data packet is 
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then., matched... against . known patterns where', the known 
.-..patterns. ..are, assp.ciated -with known -.forms of .-attack on the 
. - private.. network.. A^ sourqe ; of -the jdata- packet is. -then 
identified-, as,, malicious ^or -.n<pn --malicious -based upon the 
matching . v In ...one', embodiment /; . , one ; pf ; • the r known, forms of : 
t attack- .is. a denial .^of, :-servic$ attack . and an .associated 
,,.known. pattern, is. .unacknowledged data packets . In .^another 
..embodiment, one • of n the;, known -forms of attack is an 
- . address spoof ing... attack ...and . an associated known pattern 
is. a., data^packet. having a ...source address ^matching .an . : 
internal address of t the , private .network , 

A., technical:, advantage ...of the .present invention is 
. .the, enabling, of a. ; routing , device .to the. identify a denial 
of service attack and r to block such an, attack, from tying 

up the routing device. ...... t ... _ : - • * . 

Another , technical ..advantage of r the present -invention 
is enabling a routing device to identify an .address ^ 
spoof ing. attack and to,.block-such an attack. , 

A further technical .advantage of the present - Mr 
invention is, an., ability .for. the routing device to track 
information abou£ the attacker to allow preventive ^ 
measures, to be taken. : - „' 

Other technical advantages should, be . readily 
apparent to one skilled in the art from the following 
figures, description, and claims.- - •-- .... 



BRIEF DESCRIPTION OF THE DRAWINGS 

A more, .complete understanding of the present 
invention and advantages thereof may be acquired by 
referring to the following description taken in. ; 
conjunction with the accompanying . drawings , in which like 
reference numbers indicate like features, and wherein: 

FIGURE 1 is a block .diagram of. an communication 
system including a routing device-, and., an associated 
private network; . . 
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~* '"" 'FIGURE- -2 IV- a- r ' : E16w : chart of- one' embodiment *6fe a 
method- f br' ; blocking 'attacks^ -bnVa • : pf i-va te-- •net'Wt)rk : ' .-- 
according to the preterit" ahvehti on } r - ; - — ; -»" . - 

' FIGURE -3 is a ; -'flow- : chart- of : - one -embodiment of a 
'method- for: blocking" -ah 'a~ddress Vpobfl : ng attack -according" 
tcr the- present- -invention;' : ahd~ : - : '- :: r - : - x - : ;:: : - ■ 

; ' "FIGURE 4 : ±s"- a flow chart of- one embodiment" : o# a 
method for blocking a deriial- ; 'of ::; service attack' -according 
to the present invent roriv - " : - — - - " - 



DETA1-DED 1 DESCRIPTION -QF THE -INVENTION - 1 - ' - ■ ■ ■ - 
" ' : FIGURE 1 'is'' a- -block diagram of : an '-communication 

•''system"' including -a routing- device 10 and "ah associated 
private 'network 12.- 1 Routing 1 -device 16" ; provi'des' a- ; 
15 connection between corporate -private network 12 and an 

"""" Internet cloud 14-. Routing device "10 : can include a 
" gateway, firewall or other 'device interconnecting private 

network 12 and : Internet : clbud : T4'. In operation, -routing 
' device' 10 allows internal users within private network 12 
20~' * "to gain access to Internet ; cloud 14. - Routing device 10 

also : allows external users "Connected to Internet cloud 14 
to gain access*' to private ^network 12 . 1 '"A- significant and 
growing problem -is that an "attacker 16 -may try to gain 
access to or disrupt private : network 12 through' Internet 

25 cloud "14 ' *" '"' - " •'• - • * ^ : • • • " : ■ '" 1 : 

Denial i: of service and ~ address spoofing are two 
common " forms ' of attack that might "be used : by attacker 16. 
In -general, a denial service attack is ~ one in which 
attacker 16 attempts to 'prevent others - from using private 
30 network 12. A denial' service attack works if routing 

device 10 spends all of its time' processing requests and 
cannot respond quickly enough" to' satisfy additional 
requests. " An Address spoofing- attack" is on in which 
attacker 16 fakes an" internal address' to get" around or 
35 into standard address filtering schemes . According to 



BNSDOCID: <WO 9948303A2J_> 



\- ' WO 99/48303 PCT/US99/05900 



t-he : gr es ent^. , i-nyent i-op , : : r ou t ing; 'de,y ic e i0_ is. enabled with 
a method^ for^,blocking :r thesei and other- types T of , attacks by- 
analyzing incoming data : packet.s : t : l . \>: -r.-- * 
r r,.. ..^T-hus,- one .possible- occurrence -is that- attacker 16 
5. . \j'r „ -will .try to v get into private network .,12^ by. .spoof ing an 
address that exists inside private, network 12..;. This is 
x in-tended -^to .allow attacker l£Vto gain access, -.and 
t <l* _•_ i-mpersonat.e -.an .internal; user-. ^ When a- packet from .. 

attacker 16 reaches routing, ; d ( eyice. 12 y ... an. .attack blocking 
10 component, according to the present invention, will 

notice that .the -address patches, one- that- exists within 
private network ,12.^ Be.cause v incoming packets should not 
.. - be the same as outgoing- packets., the- attack blocking 
component . can deny access, -to private network, 12 and 
15 -record .the. information .about,- the .attack for. use. .by. the.-, , 

■ system administrator... Attacker 16- can a-lso\try .to deny. 
. -access to all external users by conducting a ( denial of^„. 
service attack.- This .involves, attacker 16 flooding 
private network .12 or. routing device 10 by sending, an ^ 
20 .; . extremely . .large number .of packets. For example,, attacker. 
> -16 may -send 30 , 000 or more packets. ..According tp .the ^ 
. .present ^invention, ..the c attack blocking .component of 
: ~_ -routing device 10. can notice ...that the ; first .packet, is 

: -_. spoof ed..or that.it cannot be acknowledged and ignore all 

25 other packets. Further, routing device 10. can use 

diagnostic ..detection tools .{e.g., trace root, ping, NS 
- lookup), to. pinpoint attacker .16 and .notify , the system 
.administrator. . In , general according to the present 
invention, routing device . 10 can be enabled to 
3 0 - intelligently analyze incoming . packets , match the packets 
. against known, patterns for attack strategies and respond 

accordingly to .malicious, packets . . 

FIGURE 2 is. a flow : chart . of one embodiment of a 
method for blocking attacks on a private network 
35 according to the present, invention.. As, shown, an 
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- incoming -packetf- i^ ^Walyz^d 1 ' by ; the" -routing -de vrce ; in step 
"-2-0V-' ih-st ; ep : 22, 'the- routing'' deVrce- arialV^es'- '^He' : f ncoming 
: packet "agai-nst: known- patterns Based upon • : 't His - : pa 1 1 e r n 

• J matching / -in * e step - : 24-," the 'routing' ; devf ce ; -can : ide~ntify the 
5 - " data* packet 1 arid"- 'its source- as malicious or norr- malicious-. 

: - / :r "^he - known- patterns 1 -used- in step "22^ can "be : buiit using 

: knowledge about- various typeb :: 6f- attack^. " This knowledge 

• can- be recorded 'in the "f orm of patterns that "are t'hen 
;: - stored' in -a- database' or* other stbiracfe device accessible 

10~ '~ : - : -by the routing^ device. The- rbuting" device can" then match 
: the analyzed' packet s -against- the* 'patterns * to" 'determine 
- - * " whether or ' not some type of ''attack is 'being made . If an 
attack- is :ideht£-f i"ed/ : the- routing -"device can 'identify the 
1 - source of : that packet- as^ malicious* arid' treat the "source 
15; - ~ : accordingly^- "' f - - " - • •"*-'• - ~ ' *' — - 

' -' - in particular, the- routing device can Implement 
*' methods for blocking denial of 'service attacks and 
address spoofing attacks as- shown, for" example, iiv 
FIGURES 3 and 4. . FIGURE 3 is : a'flW chart of one ' 
20 embodiment of a method for blocking- "ari address spoofing 

■ attack-' according to the' present invention"; " This method 
- 'is applicable- to address spoof irig : attacks on Various 

• types of 7 networks , but "is descried' sp : e"f"± : c±al ly with 
respect to" a : n 7 IP network. ' ■*'-"- : — : .'. 

25 : As "shown iri : step -30- of - FIGURE 3 , the routing' device " 

receives 1 a : packet. - In step '32, the' rout iiig "device 
' compares the IP address" of the , packet against known 
internal - IP addresses of the associated 'private network . 
In" step 34 / : -the routing device determines if the source 

30 IP- address matches an internai -address . " If not; in step 

36/ the routing -device routes the packet as appropriate 
for' the packet. However, if the source IP address 
matches an internal address, then the routing device 
identifies that there' is an attempt to spoof an internal 

35 address. 'The --addressed is' known to be spoofed because an 
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-^-..j- . .internal IP. ..address- of -; the. P^i^te : n<et ; wqr*k r cannqt , be 
vr j ... ...accessing,, t-he : '.private , network, from an; external point. 

- r ,,.„- .Consequently,, {..in s-tep_ 3 ; 8 :/i th.e-. routing; -device drops : the 
...... : , - packet ...and ,dp ( es. not™ route ,ij; : tQ, they. network;,-; Xn : step 40, 

5 ' ( - - T .. } the /routing .devicer .analyzes, : the r packet, v header, for the 

, ... history .pf.^the. pac^e.t.,in ordej;, tp^ obtain-; some information 
... , v .about, .the source., of:, -the ^packet..; -Then,, . in jstep *42 £> the 
routing .device takes an appropriate Apf ens,iye : .,action 
■ .against that packet... , For. r exampl-^ r . : the rputing device can 
10 ... refuse „to r a.qcept any mor t e~ packets ..from, the,. real- source of 
; the. packet ...,,In, this .; case, * the .defensive., action can 
include adding the offending. .1. P address to- a. cache of IP 
. -. addresses, and then, not allowing, access- :to .the, router 
. device for any.. X P. address., in the. cached- list., - -Further, 
15 the routing device can store information about, the, attack 

for later use .and, for., analysis, for administrators pf:: the 
private network-. .. For. example, information concerning the 
packet origination,, destination or content can be . stored 
internally to the ; router device or sent to a syslog 

20 .. server: for L later analysis...... j 

FIGURE. 4;. is. a flow .chart of .one ; embodiment:., of ^ 
method fpr, blocking a denial, of . .service- .attack according 
.to the pres.ent invention. , As... shown,, in. step, 50, the 
routing device receives a request for a-, connection . 
25 . Then, in st,ep 5 2 r the routing device asks for- an 

acknowledgment, from the requestor....- In- step 54, .the 
routing device, checks, whether or not ; an .acknowledgment 
has been . received . If one is not received within. a 
specified period of time /v the. routing device. moves to 
30 step 5.6 -and denies„ the. request. This- denial ensures that 

.... the routing device does. not. churn .on pending requests 

even though acknowledgments have not been received within 
reasonable amounts of. time. . 

. .If an ^acknowledgment is, received in step 54, the 
35 routing device moves to step 58 and compares the 
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■reque's te*d- ^connection "-to exis ting -connections Then , in 

• step- 6 0 / ..the. routing * device- determines • if - there- --:is" a 
- " match- 'between -the -requested 'connection' and one of- qthe 
" existing connections -If ' so, 'the --routing -device Amoves to 
step^ 4 6~ -"and '-denies xtfre request-*- - The -request* is ^denied 
because- otie ^source' should ^not -haive '-more -than v -dri*e : v 

'* connection through t he-rout irig device -.=£-6 ~t he ^private 
network-. If p'in step -60, ^there ' is r no match;'' then the 
'-- routing device "can -allow' ^the connection in -step 62. The 
^- ! niethod -of -FIGURE -4 prevents- the "routing device -from being : 
tied up -by ^muitiple --requests -"'from one -source' -and -thereby 
blocks the denial of service attack - •" s :; ^ ; ; - 

--In- general ; the method of- "-the "present -'invention can 

be -integrated as;~a component --"of c a -gateway /■ firewall or 
' • 'Other-' routing device. ' In one implement at ion , the "present 
invention can work of f of a 'variable * size cache file that 
holds network addresses s " —For blocking spoofing,- each 
incoming address can be held in the cache file and 
checked to see if the incoming address matches an network 
address that is on the private network. If the incoming 
address matches, then the request can be denied. Also, a 
message can be sent to a system log which, rather than 
being written to a file, can be written to a console to 
prevent the log from getting overloaded and crashing the 
routing device. Further, an optional E-mail message or 

- page can be sent to a specified address or number in the 
case of an attack. If an attack happens more than once 
on the same address in the span of a certain period of 
time (for example, five minutes), then the number of 
messages can be limited to prevent overloading of the E- 
mail or paging service. An optional shutdown mechanism 
can also be in place that will enable the routing device 
to automatically shut down certain services if attacks 
continued . 
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::x A ;rs;\ T Denial; -.of -service -^attacks ::a.r..e 'gsne.r.all.y_ .easier to 

r. fe^acs.^. c;;;;Howeyer / ;; when.;sueh - an;, attack is. ralsp ".sppofed, the 
3:: :problejB fee comes veryv;dif.fi-CAilt^^t.o .rSfop..? /, According:- to the 
o; ■ :prese.nt-ii.wention / / an ; incoming ^ajddr.essircan ;be checked 
5 ...against; ■ tfee. cache f ile ;and^a :q:udck^sea^ch:^can- be. - 

pe:k£_orrn$d : :to-see if., the. address ; is-_,already in .a .list of 
... ;;pendi*ng .-addresses If ;S.o./, the, :reauest; .-packet can be 
. .discarded .-jr. An -addres^ris removed from the list .if;, a 

.s.ucces.s-f ul acknowledge . packet: . r is .- sent- -back- or. .a:.. variable 
1CL„\ t ime ^limit is reached,; ^T.he number "of _ matching;. addresses;. : 
--.*:»: that /.-are . allowed in -the _list- caa be a variable r sejt; by the 

system administrator./; ,- . i* ,;.,r _ V. .-;,!/ v. ...' 

• , ~ ; r < \ Although .the- rpre sent ; invention . has /been ^described in - 

; detail/ it , should ; ;be v understood, that; various., changes,, w 
15 - . substitutions ::: and -alterations can -.be made- thereto .without *fa 
^departing from -the ; sphere .and ; scope of rthe i-nyentip% as ^ 
^defined _by the/ appended ^claims ; , - ^ 



BNSDOCID: <WO 9948303A2_!_> 



WO 99/48303 cCpGT/US99/05900 



10 



WHAT -IS : '--CLAT-MED"- : 'T S -^ci~' • ; 

— 1". :: "A" itiet-hod ^or 'blocking"*- attacks- on rr a p'rivate 
- -rie-twork 'implemented : ~by-*a~ routing- : devi be -interconnecting 
the private network to a public : riet Worker -'comprising: 
5 , r < analyzi-ng -an 'ihcbmiing data - packet: -from -the public ^ 

network ; v 

matching the "incoming ; dat-a : pa'cket against known 
• patterns',-' the 'known patterns associated ' with known forms 
of attack oh the private network ; : -and - - - 
10 identifying a source of the data packet as : malicious 

" ' :: of nbn-malicious : base"d-' ;: upon : the' matching 1 . ' ; 

; - 2^.. - -The : 'method 6f : "Claim : iV : wherein- ' one - of the known 
forms of attack is a denial of service' attack and an 
15 associated known pattern -is unacknowledged data packets. 

■ 3 : - The method* of -Claim 1/ wherein one of the known 
* - forms of attack is^ah address : spoofing attack and an 

associated known pattern is a data packet having a source 
20 ■" *■ address matching an internal address 'of the private 
:* ; network '■ - .V r " °- : , . . . . 

4. The method of Claim 1, wherein the public 
-network" is thie" "--Internet - : - - 



: 5 . ; -The method' of Claim A, wherein the routing 
device is a firewall providing access to the Internet 
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6 . A method for blocking ^;^addres&^ spoof ing 
-.-.attack- on a private- network implemented by a .routing 
- _r -device .interconnect ing- Xhe^ private, jietwprk- ;tp; - a • public 
net-work /; -comprising; : • r r . c j ;^ 0 /:--.;: - * v: „ r- 
Icu. a ^ receiving. ,an- f incoming- -cia,ta~ p;acket>rfr,om -the public 
network; ; - 

i:.j~r.- : Gomparing* a.-squrce ^address .of .the : data, -packet 
- against, known- internal, addre&ses of^ the private network; 

determining if the -source address, matches a known 
: internal address^ ^ >: - J: t C ::r .r.;L ..■ , ; J * :..t i I \ 

if there- is, no, ma tch >: . routing the : . .data -packet : to the 
private network; 
- : . - ~ if there is, a ; match,- dxopping: Jthe .data packet. 

. } . v ,7. The method ..of , Cl.aim .6 #J .further; comprising ,^if 
there is a match, analyzing a header of the data packet 
for a history of the data packet and taking defensive 
action ,against , the data .packet based upon the history. 

8.. . The method -of Claim 7, wherein the .defensive 
action comprises refusing to accept any more data. packets 
from a real source of the data packet. 

9. The method of Claim : 7 7 . : ..wherein; the -defensive 
action comprises storing information about the data 
packet for use . - and analysis by a system administrator . 

10. The method of Claim 6, wherein the public 
network is the Internet . 

11. The method of Claim 10, wherein the routing 
device is a firewall providing access to the Internet. 
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12 » "A/method.'If or blocking . ;a "denial of/se<ryice, ; 
attack on a .prxyate^ network-implemented : ;by *a-routing 
device interconnecting the private network "to a' public 

network, comprising: \ J" * r % „ , 

5 receiving a request for a connection from the public 

network; 

requesting an acknowledgment from an initiator of 
the request; 

determining whether an acknowledgment has been 
10 received; 

if -an- »acknowledg.mjent-:r^c t not received /-.denying the 
request ; , " ' ' ""* ~ ' 

if an acknowledgment -is received, comparing the 
request!, to -existing connections'; ,!/ 
15 if there is a match between the request and an 

existing connection, denying the request; 
. ; if there is not match between; the request and 

an existing connection, allowing the connection and 
i: ~ :. r routing packets to the private -network.:;- : 

..2 0..:. \ 1:1 - ' ' r . " 

- : 1.3... The method of Claim 12, wherein 7tHe.~ public " 

„ ^ network is the Internet. r ! VC^ V 

14. The method of Claim 13, wherein the routing 
25 .1 device is . a firewall providing access "'to --tjtie Internet. 
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